UPDATE: On 30 March 2023, GitHub updated the permissions associated with organisation and enterprise scopes. The admin:enterprise and admin:org scopes now include SAML identity information. Introducing enterprise:members_read and org:members_read scopes would have provided finer grained controls. The wider scopes is a reasonable outcome after waiting two and half years. Read the full changelog entry for more information about the change.
Many vendors use additional security features as a key selling point for their top of the range enterprise plan. Often the enterprise tier includes access to additional logging, single sign on, security policy enforcement and so on. These features are designed to give greater control and insight into potential security issues in the account. GitHub Enterprise Cloud includes all of this and more, but GitHub needs to fix their permissions before a malicious actor destroys a large organisation.
GitHub Enterprise Cloud allows customers to configure Single Sign On (SSO). This means once every 24 hours members of the organisation need to authenticate against the organisation’s identity provider before being granted access to resources in their GitHub organisation/s. People who have left the company lose access to the corporate GitHub repositories once their internal login is disabled. This is an important component of a broader set of software supply chain security controls.
- How to build a website with WordPress and what are the best plugins to use: Building a website with WordPress is an excellent choice due to its versatility, ease of use, and a vast array of plugins that enhance functionality. Here’s a comprehensive guide to building a WordPress website, along with recommendations for the best plugins.
- What does this property buzzword mean and how does it actually work? Gearing simply means borrowing money to buy an asset. Negative gearing can be a tax strategy used by investors and describes when the income (ie, the rent) made from an investment is less than the expenses it incurs, meaning it’s making a loss.
- How to Sell Your Ecommerce Business for the Best Value: Selling an ecommerce business can be a very profitable move. You can use the proceeds to invest in other projects, launch new ecommerce business websites, or even retire. For some startups, selling the business is the end goal. Whether you have a dropshipping website, sell with Amazon FBA, or own a large-scale ecommerce business, there’s an opportunity for you to sell.
- Comprehensive Guide to WordPress Website Development: Developing a WordPress website is a sequential process that requires careful planning, thoughtful execution, and consistent maintenance to ensure it meets the needs of users and achieves its intended goals. This involves a series of clearly defined stages, including planning, designing, content creation, optimisation, and ongoing maintenance.
- Top 10 High-Paying Jobs AI Won’t Replace in 2025: Artificial Intelligence (AI) is revolutionizing industries, automating repetitive tasks, and reshaping the global workforce. Despite its remarkable advancements, certain professions remain beyond AI’s capabilities due to their reliance on uniquely human traits like creativity, empathy, and critical thinking. This case study explores the 10 highest-paying, fastest-growing jobs in 2025 that AI won’t replace, delving into why these roles are indispensable and how they are evolving in an AI-driven world.
- Spill Your Guts: What To Wear To Olivia Rodrigo’s Australian Tour: Never afraid of screaming out all the dark, embarrassing things we’ve all thought before, Rodrigo sings about comparing herself to her boyfriend’s ex-girlfriend. If you want an edgy outfit that mimics the music…
- Top Social Media Plugins for WordPress to Increase Your Sites Reach and Engagement: If you are seeking to enhance your website’s reach and engagement on social media, you have come to the right place. In this article, we will delve into the premier social media plugins tailored for WordPress users. From Social Warfare to Jetpack, these plugins can facilitate seamless sharing of your content across diverse social platforms.Furthermore, we will provide recommendations to optimize your website’s visibility on social media. Keep an eye out for valuable insights!
- How to Change PuTTY’s Appearance: PuTTY is a widely-used SSH and telnet client for Windows and Linux hosting. While its default appearance is functional, you can customise it to improve aesthetics and usability. Below are the steps to modify PuTTY’s appearance, including changing the font, window size, colours, and cursor options.
- What programming languages does vBulletin use?: vBulletin was orginally written in perl and used a flat file database system. However, as sites grew they notice that sites could not cope with a large amounts of traffic. This problem has now been fully rectified when vBulletin was converted to php and a mysql database system.
While “System for Cross-domain Identity Management”, or SCIM for short, is available for user onboarding and off boarding within enterprise accounts, not all teams are in a position to use this. Even when SCIM can be used with GitHub enterprise accounts, there are times teams need to verify that all users in the enterprise account are valid. Due to the lack of granularity in GitHub’s organisation and enterprise oAuth scopes, running regular automated audits is significantly riskier than they need to be.
In order to read user objects associated with enterprise membership data only the admin:enterprise scope. To read organisation membership data only read:org scope is required. The scopes documentation provides the following descriptions, “[r]ead org and team membership, read org projects” for the org level scope and “[r]ead enterprise profile data” for the enterprise scope. One could reasonably assume this would include the SSO username data associated with members.
This isn’t the case. The SSO user data associated with GitHub users requires the admin:enterprise scope for enterprise SSO. If SSO is configured at the organisation level the admin:org scope is required to read the SSO user data.
These admin scopes grant significant access to the account.
In the case of the admin:org scope, it is possible to manipulate all membership of the organisation including adding users, removing others, promoting and demoting organisation owners. A malicious insider who gained access to a token with this scope could grant themselves ownership access to the organisation and then have full control over the organisation and move on from there. An external user could grant themselves access to individual repositories via the external collaborators role, which bypasses SSO. This grants them access to commit to any repository they grant themselves access to.
The access bestowed by the admin:enterprise scope is more powerful. Most enterprise accounts use SSO at the enterprise level as it centralises control and prevents organisation admins from messing with the configuration. Unfortunately if the enterprise admin token is compromised it is possible for an attacker to remove an organisation from the enterprise account.
If a token has both scopes, it is possible for an attacker to chain these overly broad scopes together to invite themselves to an organisation, remove that organisation from an enterprise account, which removes SSO, accept the invitation to the organisation and move on from there. While this would be noisey a properly prepared attacker could irreversibly destroy a large GitHub organisation in a matter of minutes.
While it is easy to say that teams need to protect their secrets, in practice things are more difficult. Credentials need to be stored somewhere. For example if the audit script is run by a Lambda function, the credentials will be stored in SSM Param Store or Secrets Manager. Your AWS admins have access to all of your secrets. Using minimally scoped tokens reduces the impact of a malicious insider.
There is a precedent for GitHub introducing finer grained scopes. As recently as October GitHub introduced new enterprise scope for managing self-hosted Action runners.
I first flagged this issue with GitHub over a year ago and there is no resolution. There isn’t even a commitment to fixing this issue. I am open to other suggestions, but I propose GitHub add enterprise:members_read and org:members_read that grants full read access to the users, verified email addresses and associated SSO data within an enterprise or organisation respectively.
Until this is fixed I can’t roll out automated GitHub user auditing and sleep well at night. All it takes is one motivated individual who gains access to a token with both admin scopes and it is game over. I can’t take this risk with my clients’ data and businesses.
If you have an enterprise account, I recommend you check periodically to see if users have generated personal access tokens with these scopes. Github provides the SSO authorisations for organisations endpoint for this purpose, and it only needs the read:org scope.
